<p>Using setters in Struts 2 ActionSupport is security-sensitive. For example, their use has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1006">CVE-2012-1006</a> </li>
</ul>
<p>All classes extending <code>com.opensymphony.xwork2.ActionSupport</code> are potentially remotely reachable. An action class extending
ActionSupport will receive all HTTP parameters sent and these parameters will be automatically mapped to the setters of the Struts 2 action class. One
should review the use of the fields set by the setters, to be sure they are used safely. By default, they should be considered as untrusted
inputs.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> the setter is needed. There is no need for it if the attribute's goal is not to map queries' parameter. </li>
  <li> the value provided to the setter is properly sanitized before being used or stored. (*) </li>
</ul>
<p>(*) You are at risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>As said in Struts documentation: <a href="https://struts.apache.org/security/#do-not-define-setters-when-not-needed">"Do not define setters when
not needed"</a></p>
<p>Sanitize the user input. This can be for example done by implementing the <code>validate()</code> method of
<code>com.opensymphony.xwork2.ActionSupport</code>.</p>
<h2>Noncompliant Code Example</h2>
<pre>
public class AccountBalanceAction extends ActionSupport {
  private static final long serialVersionUID = 1L;
  private Integer accountId;

  // this setter might be called with user input
  public void setAccountId(Integer accountId) {
    this.accountId = accountId;
  }

  @Override
  public String execute() throws Exception {
    // call a service to get the account's details and its balance
    [...]
    return SUCCESS;
  }
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
</ul>
<h2>Deprecated</h2>
<p>This rule is deprecated, and will eventually be removed.</p>

